Hello,
I just jumped into apacheds and doing basic stuff for directory
integration (apacheds-1.0.1).
Now what I can't find is docs that I can use to set up ACIs, does
anybody have links for this?
I found the authoriztation[1] and the subsequent pages. But even the
"Enable Search for all users"[2] is somewhat unclear to me.
We're trying to switch as much of our services as possible to java
since our company develops mainly in that area, however I'm not a Java
programmer.
Back to the topic, following the example in [2] I think the following
should be true:
ACIs are handled over ldif entries, which in turn are applied to the a
subtree or a single element, meaning if I need an ACI for a subtree or
entry in apacheds i have to add an:
objectClass: accessControlSubentry
to the entry I want to grant/deny access.
Translating the java code on [2] to ldif the following should result:
I kept the newlines in prescriptive aci for reading purpose:
(if this is correct maybe someone could post it to [3])
--snip--
dn: cn=enableSearchForAllUsers,dc=example,dc=com
ObjectClass: accessControlSubentry
subtreeSpecification: {}
prescriptiveACI:
{
identificationTag "enableSearchForAllUsers",
precedence 14,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems {entry, allUserAttributeTypesAndValues},
grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
}
}
}
}
--snap--
Now with this Information say I have an inetPersonOrg at the following location:
--snip--
dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
ObjectClass: inetOrgPerson
ObjectClass: organizationalPerson
ObjectClass: person
ObjectClass: posixAccount
ObjectClass: shadowAccount
ObjectClass: top
cn: John Doe
cn: Jonathan Doe
gidnumber: 1000
homedirectory: /home/john.doe
sn: Doe
uid: john.doe
uidnumber: 1000
displayname: John Doe
givenname: John
givenname: Johnathan
--snap--
Now I want only "dn:
uid=john.doe,ou=accounts,ou=people,dc=example,dc=com" to be able to
access it (self read/modify - everything in essence)
--snip--
dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
ObjectClass: accessControlSubentry
-
add: subtreeSpecification
subtreeSpecification: {}
-
add: prescriptiveACI
prescriptiveACI:
{
identificationTag "enableJohnDoeSelfAccess",
precedence 50,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
protectedItems {entry, allUserAttributeTypesAndValues},
grantsAndDenials { grantModify, grantRead, grant ReturnDN, grantBrowse }
}
}
}
}
--snap--
Did I get that right, or is it completely wrong.
Summary:
1 to modify ACIs create an ldif and modify the subtree of entry itself
2 ACIs are defined in the ObjectClass: accessControlSubentry and the
attribute prescriptiveACI with the Syntax mentionend somewhere in [1]
I think (at least there's an EBNF notations linked somewhere in that
area)
[1] http://directory.apache.org/apacheds/1.0/authorization.html
[2] http://directory.apache.org/apacheds/1.0/enablesearchforallusers.html
[3] http://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=DIRxSRVx10&title=enableSearchForAllUsers.ldif&linkCreation=true&fromPageId=26217
--
Martin Marcher
martin.marcher@gmail.com
http://www.mycorners.com
https://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher
http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added